Jump to content

Dump online battle videos from codes

Eskuero
 Share

Recommended Posts

Eskuero

Eskuero

Posted
Posted (edited)

I'll simply put the relevant steps/commands for their usage with Pokemon SM and NTR Debugger here, but you can still read all the research that was done back in sixth gen times by opening the spoiler:

1 - Get NTR CFW loaded and start the debugger
2 - Connect to your 3DS debugger using the PC client

Quote

connect('YOUR 3DS IP', 8000)

3 - Write the code of the battle video you want to dump on the Vs. Recorder.
4 - Start the video playing
5 - While the video is playing write the following command

Quote

data(0x32B9D5E4, 0x2BC0, filename='Video', pid=0x29)

6 - Video will be saved on the same folder as your NTR Debugger client.
7 - You can open this file with PkHeX to see the involved player's team.

*Replace YOUR 3DS IP with the one that corresponds to yours. You can easily get it using third party homebrew like FTPbrony*
*The number in bold is the process id that corresponds to the game and may vary between reboots, you can check which one is it by using the command listprocess() at the moment of dumping by looking at the one that corresponds to niji_loc*

Spoiler

Time ago I asked if this was possible and it indeed was so I spent some time documenting how it worked, but since I did in a painful way that implied dumping heavy pieces of RAM and using an hex editor to choose the correct bytes corresponding to the battle video I just decided to play a bit more around it to document which offsets contains the correct data and how to dump them easier. All of this was done on a New3DS running NTR CFW and doing the dumps over an Alpha Sapphire card, but it should work the same for Old3DS and other versions of six generation games.

Sorry if the formatting with spoilers is annoying, I find it much more cleaner this way :)

How to recognize a battle video:

 

After doing a few memory dumps and diving into them using and hex editor I found five regions, I refer to them as slots, that were likely to contain data related to battle videos.

Offsets based on a 0x08000000 region dump of a Pokemon game: 1FBA70, 208E40, 2E74AC, 8D6D30 and 8DED48.

Every battle video has always a size of 2E60 and they always start with the following hex values: 0X 81 E2 00 00

As far as I know X can be anything between 0-F.

Experimenting:

 

1 - Clean boot of the game without any battle video uploaded and five stored on extdata:

Slot 1 contains data similar to the latest video locally saved but the game crashes trying to read it. Slot 2 contains always a clean 1:1 of the battle video.

Only Slot 2 data can be read by pkhex. Slot 3 and 5 are almost empty while Slot 4 contains lots of unknown data.

2 - Writting a battle code and waiting on preview:

Slot 1 and 2 remains the same. Battle video is almost 1:1 copied to slot 4 and 5. Slot 3 contains traces of the video but PKHeX is unable to read it and the VS. Recorder cannot as well.

3 - Watching the battle video from the code:

Slot 1 and 3 remains the same. Slot 4 and 5 are bloated with unknown data. Slot 2 now stores the clean 1:1 copy of the battle video playing.

4 - Going back with the preview still there:

All remains the same.

5 - Closing the preview:

All remains the same.

6 - Previewing a stored video:

All remains the same.

7 - Watching a stored video:

All remains the same except that the video currently played is now copied onto slot 2.

8 - Closing Vs. Recorder and opening again:

All is back to the initial state except that now Slot 5 contains unknown data.

9 - Reading another battle code and staying on preview:

All is the same as step 2.

10 - Playing the video:

Slot 4 is full of crap. Everything remains the same except that Slot 2 now also contains a 1:1 copy of the video.

11 - Opening preview of another battle code:

Slot 1 stays same as always. Slot 2 still contains copy of the most recent video played. Slot 4 and 5 are identical and readable with PKHeX.

Slot 3 contains references to the actual preview but is no readable by anything.

12 - Watching the video:

Slot 4, Unknown data, Slot 5, 3 and 1 the same. Slot 2 is a clean copy of the battle video.

13 - Uploading a stored battle video, closing and opening VS. Recorder:

No difference in comparisson with step 1.

Conclusion:

 

Slot 1 -Always stays the same and stores a file similar to the most recent battle video stored on extdata but it's structure makes it unreadable for both VS. Recorder and PKHeX. Contains ekx data.

Slot 2 - Stores a 1:1 copy of the currently played video. Stores that battle video until a new one is started. Of course this contains ekx data.

Slot 3 - Contains several references to battle currently previewed/watched. While is unreadable by PKHeX and by the VS. Recorder it contains ekx data.

Slot 4 and 5 - Sometimes stores nothing, sometimes stores almost 1:1 copies of the battle video previewed that can be read by PKHeX, not by VS. Recorder and sometimes apparently contains PSS passenger data. Not a trustable source.

*I actually doubt this two ones are the only ones with this behaviour.*

So the most trustable way to dump a battle video from a code is dumping Slot 2 while the video is actually playing. This will generate a 1:1 copy of the original file that can be read with PKHeX and even injected onto your own extdata.

Commands for NTR Debugger:

 

Slot 1 - data(0x81FBA70, 0x2E60, filename='Video1', pid=0x29)

Slot 2 - data(0x8208E40, 0x2E60, filename='Video2', pid=0x29)

Slot 3 - data(0x82E74AC, 0x2E60, filename='Video3', pid=0x29)

Slot 4 - data(0x88D6D30, 0x2E60, filename='Video4', pid=0x29)

Slot 5 - data(0x88DED48, 0x2E60, filename='Video5', pid=0x29)

The pid may vary a lot. For me it's usually either 29 o 2b but the easier way to know is run the command listprocess() and search for pid that corresponds the process named "sango-X" on the list.

 

 

Edited by Eskuero
Link to comment
Share on other sites
quantumsource

quantumsource

Posted
Posted
Time ago I asked if this was possible and it indeed was so I spent some time documenting how it worked, but since I did in a painful way that implied dumping heavy pieces of RAM and using an hex editor to choose the correct bytes corresponding to the battle video I just decided to play a bit more around it to document which offsets contains the correct data and how to dump them easier. All of this was done on a New3DS running NTR CFW and doing the dumps over an Alpha Sapphire card, but it should work the same for Old3DS and other versions of six generation games.

Sorry if the formatting with spoilers is annoying, I find it much more cleaner this way :)

How to recognize a battle video:

After doing a few memory dumps and diving into them using and hex editor I found five regions, I refer to them as slots, that were likely to contain data related to battle videos.

Offsets based on a 0x08000000 region dump of a Pokemon game: 1FBA70, 208E40, 2E74AC, 8D6D30 and 8DED48.

Every battle video has always a size of 2E60 and they always start with the following hex values: 0X 81 E2 00 00

As far as I know X can be anything between 0-9.

Experimenting:

1 - Clean boot of the game without any battle video uploaded and five stored on extdata:

Slot 1 contains data similar to the latest video locally saved but the game crashes trying to read it. Slot 2 contains always a clean 1:1 of the battle video.

Only Slot 2 data can be read by pkhex. Slot 3 and 5 are almost empty while Slot 4 contains lots of unknown data.

2 - Writting a battle code and waiting on preview:

Slot 1 and 2 remains the same. Battle video is almost 1:1 copied to slot 4 and 5. Slot 3 contains traces of the video but PKHeX is unable to read it and the VS. Recorder cannot as well.

3 - Watching the battle video from the code:

Slot 1 and 3 remains the same. Slot 4 and 5 are bloated with unknown data. Slot 2 now stores the clean 1:1 copy of the battle video playing.

4 - Going back with the preview still there:

All remains the same.

5 - Closing the preview:

All remains the same.

6 - Previewing a stored video:

All remains the same.

7 - Watching a stored video:

All remains the same except that the video currently played is now copied onto slot 2.

8 - Closing Vs. Recorder and opening again:

All is back to the initial state except that now Slot 5 contains unknown data.

9 - Reading another battle code and staying on preview:

All is the same as step 2.

10 - Playing the video:

Slot 4 is full of crap. Everything remains the same except that Slot 2 now also contains a 1:1 copy of the video.

11 - Opening preview of another battle code:

Slot 1 stays same as always. Slot 2 still contains copy of the most recent video played. Slot 4 and 5 are identical and readable with PKHeX.

Slot 3 contains references to the actual preview but is no readable by anything.

12 - Watching the video:

Slot 4, Unknown data, Slot 5, 3 and 1 the same. Slot 2 is a clean copy of the battle video.

13 - Uploading a stored battle video, closing and opening VS. Recorder:

No difference in comparisson with step 1.

Conclusion:

Slot 1 -Always stays the same and stores a file similar to the most recent battle video stored on extdata but it's structure makes it unreadable for both VS. Recorder and PKHeX. Contains ekx data.

Slot 2 - Stores a 1:1 copy of the currently played video. Stores that battle video until a new one is started. Of course this contains ekx data.

Slot 3 - Contains several references to battle currently previewed/watched. While is unreadable by PKHeX and by the VS. Recorder it contains ekx data.

Slot 4 and 5 - Sometimes stores nothing, sometimes stores almost 1:1 copies of the battle video previewed that can be read by PKHeX, not by VS. Recorder and sometimes apparently contains PSS passenger data. Not a trustable source.

*I actually doubt this two ones are the only ones with this behaviour.*

So the most trustable way to dump a battle video from a code is dumping Slot 2 while the video is actually playing. This will generate a 1:1 copy of the original file that can be read with PKHeX and even injected onto your own extdata.

Commands for NTR Debugger:

Slot 1 - data(0x81FBA70, 0x2E60, filename='Video1', pid=0x29)

Slot 2 - data(0x8208E40, 0x2E60, filename='Video2', pid=0x29)

Slot 3 - data(0x82E74AC, 0x2E60, filename='Video3', pid=0x29)

Slot 4 - data(0x88D6D30, 0x2E60, filename='Video4', pid=0x29)

Slot 5 - data(0x88DED48, 0x2E60, filename='Video5', pid=0x29)

The pid may vary a lot. For me it's usually either 29 o 2b but the easier way to know is run the command listprocess() and search for pid that corresponds the process named "sango-X" on the list.

SO GREAT, thanks

Link to comment
Share on other sites
  • 1 month later...
quantumsource

quantumsource

Posted
Posted

Eskuero, love your work, I am trying to apply the logic you use to my own fork of pkmn-ntr so I can use that app to view pokemon data directly. Let me know if you wanna help or get a copy. in the mean time one of the other functions I noticed that pkmnntr lacks(sadly by design) is the abillity to read pokemon team while in link or online battle. I figured you migh t be able to help me figure out the mem locations and maybe some logic to figure that out.

Link to comment
Share on other sites
Kaphotics

Kaphotics

Posted
Posted
28 minutes ago, quantumsource said:

in the mean time one of the other functions I noticed that pkmnntr lacks(sadly by design) is the abillity to read pokemon team while in link or online battle.

Might want to think about WHY that isn't a feature. If you remember Battle Analyzer from 2013 you'd stay away from developing online cheating functionality for public use. Even though you may have the morals to use it responsibly, anyone on the internet can use it  / modify for nefarious purposes.

 

Just be satisfied with battle video data dumping.

  • Like 1
Link to comment
Share on other sites
quantumsource

quantumsource

Posted
Posted
1 minute ago, Kaphotics said:

Might want to think about WHY that isn't a feature. If you remember Battle Analyzer from 2013 you'd stay away from developing cheating functionality for public use. Even though you may have the morals to use it responsibly, anyone on the internet can use it  / modify for nefarious purposes.

you make a good point, I'll try to be more careful about possible uses for my curiosity work

Link to comment
Share on other sites
  • 3 weeks later...
quantumsource

quantumsource

Posted
Posted
25 minutes ago, HaxAras said:

Would it have changed since then? Did it change from ORAS/XY? 

I just checked it didn't change as long as you play video from 1.1, but sadly videos taken in 1.0 won't play in 1.1. however I was still able to extract video gfiles saved with jksm and load them in pkhex just fine.

Link to comment
Share on other sites
HaxAras

HaxAras

Posted
Posted
Just now, quantumsource said:

I just checked it didn't change as long as you play video from 1.1, but sadly videos taken in 1.0 won't play in 1.1. however I was still able to extract video gfiles saved with jksm and load them in pkhex just fine.

I'll be honest. I was just trying to find something to say to replace my OG post because I forgot I was following this thread and have a PM with an almost identical name so I thought the email was a PM. I was just trying to cover my tracks and look like less of an idiot. 

Link to comment
Share on other sites
  • 5 months later...
  • 3 weeks later...
BlackShark

BlackShark

Posted
Posted

@RedOrb Sapphire

You need BootNTR installed on your 3DS. Get the latest BootNTR.cia from here https://github.com/44670/BootNTR/releases/latest (I'm not sure if it already supports 11.5)
If you have that installed you have to use the NTR Debugger Client for this guide. The latest version can be found in the starterpack from here https://github.com/44670/BootNTR/releases/tag/3.4preview2

Battle Videos are stored in the title's Extdata. In my opinion it's much easier to just dump it with a Save Editor like JKSM or SaveDataFiler.

Link to comment
Share on other sites
RedOrb Sapphire

RedOrb Sapphire

Posted
Posted
2 minutes ago, BlackShark said:

@RedOrb Sapphire

You need BootNTR installed on your 3DS. Get the latest BootNTR.cia from here https://github.com/44670/BootNTR/releases/latest (I'm not sure if it already supports 11.5)
If you have that installed you have to use the NTR Debugger Client for this guide. The latest version can be found in the starterpack from here https://github.com/44670/BootNTR/releases/tag/3.4preview2

Battle Videos are stored in the title's Extdata. In my opinion it's much easier to just dump it with a Save Editor like JKSM or SaveDataFiler.

Already have BootNTR ,I'm on 11.4 firmware,and from 3.4 and above the debugger is activated when I load it succesfully.

But here it said to write that string(data(0x32B9D5E4, 0x2BC0, filename='Video', pid=0x29)) while battle video is running but how I can do it?

Ok the part of dump via save editor but then?

 

1 - Get NTR CFW loaded and start the debugger2 - Connect to your 3DS debugger using the PC client

  Quote

connect('YOUR 3DS IP', 8000)

3 - Write the code of the battle video you want to dump on the Vs. Recorder.4 - Start the video playing5 - While the video is playing write the following command

I know the 3ds's ip but where should I put that value?

Link to comment
Share on other sites
BlackShark

BlackShark

Posted
Posted
4 minutes ago, RedOrb Sapphire said:

Already have BootNTR ,I'm on 11.4 firmware,and from 3.4 and above the debugger is activated when I load it succesfully.

But here it said to write that string(data(0x32B9D5E4, 0x2BC0, filename='Video', pid=0x29)) while battle video is running but how I can do it?

Ok the part of dump via save editor but then?

 

1 - Get NTR CFW loaded and start the debugger2 - Connect to your 3DS debugger using the PC client

  Quote

connect('YOUR 3DS IP', 8000)

3 - Write the code of the battle video you want to dump on the Vs. Recorder.4 - Start the video playing5 - While the video is playing write the following command

I know the 3ds's ip but where should I put that value?

You put it into the debugger

debugger.png

Link to comment
Share on other sites
BlackShark

BlackShark

Posted
Posted
3 minutes ago, RedOrb Sapphire said:

Ok now should be clear enough thank you :)

Is the NTR Debugger client  on the BootNTR's source folder?

No problem.
I already linked to the debugger in the post above.

25 minutes ago, BlackShark said:

The latest version can be found in the starterpack from here https://github.com/44670/BootNTR/releases/tag/3.4preview2

Direct link: https://github.com/44670/BootNTR/files/222950/NTR_3.4PREVIEW2_STARTER_KIT.zip

 

Link to comment
Share on other sites
RedOrb Sapphire

RedOrb Sapphire

Posted
Posted (edited)
29 minutes ago, BlackShark said:

The debugger should work with newer versions of BootNTR as well and yes the 8000 must be there too.

I tried with the 3.5 one but an error occured.I connected the two devices(pc and 3ds) to my smartphone so maybe something gone wrong.

I placed this on the debugger: connect('3DSIP',8000)

Have you ever tried with a newer version?I'll try the 3.4 later to check anyway ;)
 

Edited by RedOrb Sapphire
Link to comment
Share on other sites
BlackShark

BlackShark

Posted
Posted
4 minutes ago, RedOrb Sapphire said:

I tried with the 3.5 one but an error occured.I connected the two devices(pc and 3ds) to my smartphone so maybe something gone wrong.

I placed this on the debugger: connect('3DSIP',8000)

Have you ever tried with a newer version?I'll try the 3.4 later to check anyway ;)
 

I actually didn't test it, sorry, I would have to fix my 3DS first to do so. I just assumed 3.5 works fine since it's supposed to fix an issue with video streaming, which requires use of the debugger as well.

I hope you can get an older version to work!

Otherwise as I said you can also use JKSM or SaveDataFiler to export the game's Extdata.

Link to comment
Share on other sites
RedOrb Sapphire

RedOrb Sapphire

Posted
Posted
1 minute ago, BlackShark said:

I actually didn't test it, sorry, I would have to fix my 3DS first to do so. I just assumed 3.5 works fine since it's supposed to fix an issue with video streaming, which requires use of the debugger as well.

I hope you can get an older version to work!

Otherwise as I said you can also use JKSM or SaveDataFiler to export the game's Extdata.

I'll say you soon :)

Thank you very much for your disponibility BlackShark 

Link to comment
Share on other sites
RedOrb Sapphire

RedOrb Sapphire

Posted
Posted
3 hours ago, BlackShark said:

I actually didn't test it, sorry, I would have to fix my 3DS first to do so. I just assumed 3.5 works fine since it's supposed to fix an issue with video streaming, which requires use of the debugger as well.

I hope you can get an older version to work!

Otherwise as I said you can also use JKSM or SaveDataFiler to export the game's Extdata.

I simply taken my exdata folder of Moon from JK folder on my 3ds root and placed it on Pkhex and all work good.

Thank you for your support :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...